CN102510333B - Authorization method and system - Google Patents
Authorization method and system Download PDFInfo
- Publication number
- CN102510333B CN102510333B CN201110301864.3A CN201110301864A CN102510333B CN 102510333 B CN102510333 B CN 102510333B CN 201110301864 A CN201110301864 A CN 201110301864A CN 102510333 B CN102510333 B CN 102510333B
- Authority
- CN
- China
- Prior art keywords
- key
- module
- signature
- external authentication
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 169
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000004364 calculation method Methods 0.000 claims description 68
- 238000012795 verification Methods 0.000 claims description 60
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 claims description 8
- 238000009434 installation Methods 0.000 claims 5
- 230000001360 synchronised effect Effects 0.000 claims 2
- 230000005540 biological transmission Effects 0.000 claims 1
- 238000007726 management method Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
本发明公开一种授权认证方法和系统,该方法包括:在签名Key和授权Key中设置签名Key的外部认证密钥,外部认证密钥与签名Key的序列号一一对应;授权Key将加密公钥通过第一计算机发送给签名Key进行保存;第二计算机接收到身份认证请求后从签名Key中获取第二随机数和序列号并发送给授权Key;授权Key使用序列号查找外部认证密钥,并使用其与加密私钥对第二随机数进行签名生成待验证数据并通过第二计算机发送给签名Key;签名Key使用加密公钥和外部认证密钥对接收到的待验证数据进行验证。本方法实现了授权Key与签名Key一对一或一对多的关联,签名Key在授权Key对其身份认证通过后,才能对每笔交易的数据进行签名,从而确保银企交易的真实性,合法性。
The invention discloses an authorization authentication method and system. The method includes: setting an external authentication key of the signature Key in the signature Key and the authorization Key, and the external authentication key is in one-to-one correspondence with the serial number of the signature Key; The key is sent to the signature Key by the first computer for storage; after receiving the identity authentication request, the second computer obtains the second random number and serial number from the signature Key and sends it to the authorization key; the authorization key uses the serial number to find the external authentication key, And use it and the encryption private key to sign the second random number to generate the data to be verified and send it to the signature Key through the second computer; the signature Key uses the encryption public key and the external authentication key to verify the received data to be verified. This method realizes the one-to-one or one-to-many association between the authorization key and the signature key. The signature key can only sign the data of each transaction after the authorization key passes its identity authentication, so as to ensure the authenticity of the bank-enterprise transaction. legality.
Description
技术领域 technical field
本发明涉及信息安全领域,尤其涉及通过签名Key和授权Key实现的一种授权认证方法及系统。The invention relates to the field of information security, in particular to an authorization authentication method and system realized by a signature Key and an authorization Key.
背景技术 Background technique
目前,随着计算机技术的快速发展,网上银行(简称网银)越来也普及,有更多的人开始使用这种方便快捷的网银服务,如个人网上银行、企业网上银行、手机银行等,这些网银的应用都是通过互联网方式与网银后台服务器进行交互。还有一种网上银行的模式为银企直联,此模式实现了企业系统(财务系统/企业管理系统SAP/企业资源规划系统ERP)与银行系统网络层次的安全链接,可以有效的避免来自互联网的攻击。但是对于不同的企业,其内部管理规则不统一,如果不对企业前置机进行安全有效的认证与管理,容易给银行与企业带来风险与损失。At present, with the rapid development of computer technology, online banking (referred to as online banking) is becoming more and more popular, and more and more people are beginning to use this convenient and fast online banking service, such as personal online banking, corporate online banking, mobile banking, etc. These The applications of online banking interact with the background server of online banking through the Internet. Another mode of online banking is bank-enterprise direct connection. This mode realizes the secure link between the enterprise system (financial system/enterprise management system SAP/enterprise resource planning system ERP) and the banking system at the network level, which can effectively avoid Internet access. attack. However, for different enterprises, their internal management rules are not uniform. If they do not carry out safe and effective certification and management of enterprise front-end computers, it is easy to bring risks and losses to banks and enterprises.
现有技术中,企业前置机由专人管理,USB Key始终插在前置机上,USB Key需要授权才可以使用,授权过程值是PIN码的确认过程,现有技术中PIN码是固定的,容易泄漏,且由于USB Key是便携设备,容易被转移到其他设备上使用,存在安全隐患;在进行网上交易时,每笔交易都要重复输入验证PIN码,操作比较繁琐;由于输入PIN码缓存到软件层中,每次签名时都需软件与硬件进行交互来认证PIN码,而这样做会对系统的整体响应造成影响。In the prior art, the front-end computer of the enterprise is managed by a special person, and the USB Key is always inserted in the front-end computer. The USB Key needs to be authorized before it can be used. The value of the authorization process is the confirmation process of the PIN code. In the prior art, the PIN code is fixed. It is easy to leak, and because the USB Key is a portable device, it is easy to be transferred to other devices for use, posing a security risk; when conducting online transactions, the verification PIN code must be repeatedly entered for each transaction, and the operation is cumbersome; due to the PIN code cache At the software layer, every time a signature is signed, the software needs to interact with the hardware to authenticate the PIN code, and doing so will affect the overall response of the system.
发明内容 Contents of the invention
本发明的目的是为了解决USB Key易被转移、签名需重复验证PIN码的问题,提供了一种授权认证方法及系统。The purpose of the present invention is to provide an authorization authentication method and system in order to solve the problems that the USB Key is easy to be transferred and the signature needs to repeatedly verify the PIN code.
本发明提供的一种授权认证方法,包括关联过程和认证过程,其中关联过程包括:An authorization authentication method provided by the present invention includes an association process and an authentication process, wherein the association process includes:
步骤a:第一计算机接收到关联请求后,在签名Key和授权Key中设置所述签名Key的外部认证密钥,所述外部认证密钥与所述签名Key的序列号一一对应;Step a: after the first computer receives the association request, set the external authentication key of the signature key in the signature key and the authorization key, and the external authentication key is in one-to-one correspondence with the serial number of the signature key;
步骤b:所述第一计算机从所述授权Key中将加密公钥导出并发送给所述签名Key;Step b: the first computer derives the encryption public key from the authorization key and sends it to the signature key;
步骤c:所述签名Key保存所述加密公钥;Step c: the signature Key saves the encrypted public key;
其中认证过程包括:The certification process includes:
步骤d:第二计算机接收到身份认证请求后,从所述签名Key中获取第二随机数和所述序列号,并将其发送给所述授权Key;Step d: After receiving the identity authentication request, the second computer obtains the second random number and the serial number from the signature Key, and sends them to the authorization Key;
步骤e:所述授权Key根据接收到的所述序列号查找对应的外部认证密钥,使用所述外部认证密钥和与所述加密公钥对应的加密私钥对接收到的所述第二随机数进行签名生成待验证数据,将所述待验证数据通过所述第二计算机发送给所述签名Key;Step e: The authorization key searches for the corresponding external authentication key according to the received serial number, and uses the external authentication key and the encrypted private key corresponding to the encrypted public key to pair the received second Random numbers are signed to generate data to be verified, and the data to be verified is sent to the signature Key through the second computer;
步骤f:所述签名Key使用所述加密公钥和所述外部认证密钥对接收到的所述待验证数据进行验证。Step f: The signature Key uses the encrypted public key and the external authentication key to verify the received data to be verified.
其中,所述步骤a中第一计算机接收到关联请求后还包括:Wherein, after the first computer receives the association request in step a, it also includes:
所述第一计算机判断是否有授权Key与其连接,是则在签名Key和授权Key中设置所述签名Key的外部认证密钥,否则结束。The first computer judges whether there is an authorization key connected to it, and if yes, sets the external authentication key of the signature key in the signature key and the authorization key, otherwise, ends.
其中,所述第一计算机在签名Key和授权Key中设置所述签名Key的外部认证密钥,具体为:Wherein, the first computer sets the external authentication key of the signature key in the signature key and the authorization key, specifically:
所述第一计算机从所述签名Key中获取所述外部认证密钥,并将其发送给授权Key,所述授权Key接收所述外部认证密钥并进行保存。The first computer obtains the external authentication key from the signature key, and sends it to the authorization key, and the authorization key receives and stores the external authentication key.
其中,所述第一计算机在签名Key和授权Key中设置所述签名Key的外部认证密钥,具体为:Wherein, the first computer sets the external authentication key of the signature key in the signature key and the authorization key, specifically:
所述第一计算机从所述签名Key中获取序列号;The first computer obtains the serial number from the signature Key;
所述第一计算机设置所述签名Key的外部认证密钥,如果设置成功则将所述获取的序列号和所述外部认证密钥发送给授权Key,否则结束;The first computer sets the external authentication key of the signature key, and if the setting is successful, sends the obtained serial number and the external authentication key to the authorization key, otherwise ends;
所述授权Key接收所述序列号和外部认证密钥并进行保存。The authorization Key receives and saves the serial number and the external authentication key.
其中,所述第一计算机设置所述签名Key的外部认证密钥,具体为:Wherein, the first computer sets the external authentication key of the signature Key, specifically:
所述第一计算机从所述签名Key中获取所述外部认证密钥。The first computer obtains the external authentication key from the signature key.
其中,所述第一计算机设置所述签名Key的外部认证密钥,具体为:Wherein, the first computer sets the external authentication key of the signature Key, specifically:
所述第一计算机从所述授权Key中获得外部认证密钥;The first computer obtains an external authentication key from the authorization key;
所述第一计算机将所述外部认证密钥发送给所述签名Key,所述签名Key接收所述外部认证密钥并进行保存;The first computer sends the external authentication key to the signature key, and the signature key receives the external authentication key and saves it;
所述外部认证密钥是所述授权Key随机生成的或预先设置的。The external authentication key is randomly generated or preset by the authorization key.
其中,所述第一计算机设置所述签名Key的外部认证密钥,具体为:Wherein, the first computer sets the external authentication key of the signature Key, specifically:
所述第一计算机生成预定长度的随机串,并将其设为所述签名Key的外部认证密钥;The first computer generates a random string of predetermined length, and sets it as the external authentication key of the signature Key;
所述第一计算机将所述外部认证密钥发送给所述签名Key,所述签名Key接收所述外部认证密钥进行保存。The first computer sends the external authentication key to the signature key, and the signature key receives the external authentication key for storage.
其中,所述第一计算机设置所述签名Key的外部认证密钥,具体为:Wherein, the first computer sets the external authentication key of the signature Key, specifically:
所述第一计算机从所述签名Key和授权Key分别获取各自生成的随机串,将两者进行拼接或合并生成所述外部认证密钥;The first computer obtains respectively generated random strings from the signature Key and the authorization Key, and splices or merges the two to generate the external authentication key;
所述第一计算机将所述外部认证密钥发送给所述签名Key,所述签名Key接收所述外部认证密钥进行保存。The first computer sends the external authentication key to the signature key, and the signature key receives the external authentication key for storage.
其中,在步骤b之前还包括:所述授权Key使用加密算法生成所述加密私钥和所述加密公钥。Wherein, before step b, it further includes: the authorization key generates the encryption private key and the encryption public key using an encryption algorithm.
其中,所述步骤d中第二计算机接收到身份认证请求之后还包括:Wherein, after the second computer receives the identity authentication request in the step d, it also includes:
所述第二计算机判断是否有授权Key与其连接,是则所述第二计算机从所述签名Key中获取第二随机数和所述序列号,并将其发送给所述授权Key,否则结束。The second computer judges whether there is an authorization key connected to it, if yes, the second computer obtains the second random number and the serial number from the signature key, and sends them to the authorization key, otherwise, ends.
其中,所述第二计算机接收到身份认证请求之后,还包括:Wherein, after the second computer receives the identity authentication request, it also includes:
所述第二计算机对所述授权Key的PIN码进行验证,如验证通过,则将所述第二随机数和所述序列号发送给所述授权Key,如验证未通过则结束。The second computer verifies the PIN code of the authorization key, and if the verification passes, then sends the second random number and the serial number to the authorization key, and ends if the verification fails.
其中,所述第二计算机对所述授权Key的PIN码进行验证,具体为:Wherein, the second computer verifies the PIN code of the authorization key, specifically:
所述第二计算机从授权Key中获取第一随机数,使用接收到的用户输入的授权Key的PIN码对所述第一随机数进行加密生成第一加密数据,将所述第一加密数据发送给授权Key;The second computer obtains a first random number from the authorization key, encrypts the first random number using the received PIN code of the authorization key input by the user to generate first encrypted data, and sends the first encrypted data to Give the authorization key;
所述授权Key接收所述第一加密数据,使用存储的PIN码对所述第一随机数进行加密生成第二加密数据,并判断其与第一加密数据是否相同,如相同则给第二计算机返回验证通过信息,如不同则结束。The authorized Key receives the first encrypted data, uses the stored PIN code to encrypt the first random number to generate second encrypted data, and judges whether it is the same as the first encrypted data, and if so, sends the encrypted data to the second computer Return the verification pass information, if not, end.
其中,所述步骤e中所述授权Key使用所述外部认证密钥和所述加密私钥对接收到的所述第二随机数进行签名生成待验证数据,具体为:Wherein, the authorized Key in the step e uses the external authentication key and the encrypted private key to sign the received second random number to generate the data to be verified, specifically:
所述授权Key使用所述外部认证密钥对所述第二随机数进行计算得到第一计算结果,使用所述加密私钥对所述第一计算结果进行签名生成待验证数据。The authorization key uses the external authentication key to calculate the second random number to obtain a first calculation result, and uses the encrypted private key to sign the first calculation result to generate data to be verified.
其中,所述授权Key使用所述外部认证密钥对所述第二随机数进行加密算法得到第一计算结果。Wherein, the authorization key uses the external authentication key to perform an encryption algorithm on the second random number to obtain the first calculation result.
其中,所述步骤f具体为:所述签名Key使用所述加密公钥对接收到的所述待验证数据进行解密,如解密成功则使用所述外部认证密钥对所述第二随机数进行计算生成第二计算结果,判断所述第二计算结果和解密成功的结果是否一致,是则验证通过,否则结束;如解密失败则结束。Wherein, the step f is specifically: the signature Key uses the encrypted public key to decrypt the received data to be verified, and if the decryption is successful, uses the external authentication key to decrypt the second random number Calculating to generate a second calculation result, judging whether the second calculation result is consistent with the successful decryption result, if yes, the verification is passed, otherwise, end; if the decryption fails, then end.
其中,所述授权Key将所述待验证数据和第一计算结果通过所述第二计算机发送给所述签名Key。Wherein, the authorization Key sends the data to be verified and the first calculation result to the signature Key through the second computer.
其中,所述步骤f具体为:所述签名Key使用所述加密公钥对接收到的所述待验证数据进行解密,如解密成功则使用所述外部认证密钥对所述第二随机数进行计算生成第二计算结果,判断所述第二计算结果和接收到的所述第一计算结果是否一致,是则验证通过,否则结束;如解密失败则结束。Wherein, the step f is specifically: the signature Key uses the encrypted public key to decrypt the received data to be verified, and if the decryption is successful, uses the external authentication key to decrypt the second random number Calculating to generate a second calculation result, judging whether the second calculation result is consistent with the received first calculation result, if yes, then the verification is passed, otherwise, end; if the decryption fails, then end.
其中,所述步骤f具体为:所述签名Key使用所述加密公钥对接收到的所述待验证数据进行解密,如解密成功则得到第一解密结果,使用所述外部认证密钥对所述第一解密结果进行解密,如解密成功得到第二解密结果,判断所述第二解密结果与所述第二随机数是否一致,如一致则验证通过,否则结束;如解密失败则结束;如解密失败则结束。Wherein, the step f specifically includes: the signature Key uses the encryption public key to decrypt the received data to be verified, if the decryption is successful, a first decryption result is obtained, and the external authentication key is used to decrypt the data to be verified. The first decryption result is decrypted, if the decryption is successful, the second decryption result is obtained, and it is judged whether the second decryption result is consistent with the second random number, if it is consistent, the verification is passed, otherwise it ends; if the decryption fails, it ends; If the decryption fails, it ends.
其中,如验证通过,所述签名Key给所述第二计算机返回验证通过提示信息。Wherein, if the verification is passed, the signature Key returns a verification passing prompt message to the second computer.
其中,在验证通过之后,还包括:所述授权Key和签名Key同步更新所述外部认证密钥。Wherein, after the verification is passed, it further includes: synchronously updating the external authentication key with the authorization key and the signature key.
其中,所述授权Key和签名Key同步更新所述外部认证密钥,具体为:Wherein, the authorization Key and the signature Key update the external authentication key synchronously, specifically:
所述第二计算机从所述签名key中获取第三随机数和所述签名Key的序列号并将其发送给所述授权Key;The second computer obtains a third random number and the serial number of the signature key from the signature key and sends it to the authorization key;
所述授权Key根据接收到所述序列号找到所述外部认证密钥,使用所述加密私钥对接收到的所述第三随机数进行加密,将加密结果通过所述第二计算机发送给所述签名Key;The authorization key finds the external authentication key according to the received serial number, uses the encrypted private key to encrypt the received third random number, and sends the encrypted result to the second computer through the second computer. The above signature Key;
所述签名Key使用所述加密公钥对接收到的所述加密结果进行解密,如解密成功,则将所述外部认证密钥替换为所述第三随机数,并通过所述第二计算机给所述授权Key返回验证通过信息,如解密失败则结束;The signature Key uses the encryption public key to decrypt the received encryption result, and if the decryption is successful, replace the external authentication key with the third random number, and give The authorization Key returns the verification passing information, and ends if the decryption fails;
所述授权Key在接收到所述验证通过信息后将存储的外部认证密钥更新为所述第三随机数。The authorization key updates the stored external authentication key to the third random number after receiving the verification passing information.
本发明又提供一种授权认证系统,包括:授权Key、计算机和签名Key;The present invention also provides an authorization authentication system, including: an authorization Key, a computer, and a signature Key;
所述授权Key包括:The authorization key includes:
第一接收模块,用于在认证时接收所述计算机发送的所述签名Key的序列号和第二随机数;The first receiving module is used to receive the serial number and the second random number of the signature Key sent by the computer during authentication;
第一存储模块:用于存储加密公钥和加密私钥,接收所述计算机发送的外部认证密钥并进行保存;The first storage module: used to store the encryption public key and the encryption private key, receive and store the external authentication key sent by the computer;
查找模块,用于在认证时根据接收到的所述签名Key的序列号在所述第一存储模块中查找对应的外部认证密钥;A search module, configured to search for a corresponding external authentication key in the first storage module according to the received serial number of the signature Key during authentication;
签名模块,用于使用查找到的所述外部认证密钥和所述加密私钥对接收到的所述第二随机数进行签名生成待验证数据;A signature module, configured to use the found external authentication key and the encrypted private key to sign the received second random number to generate data to be verified;
第一发送模块,用于将所述加密公钥和待验证数据发送给所述计算机;a first sending module, configured to send the encryption public key and the data to be verified to the computer;
第一接口模块,用于与计算机建立连接;The first interface module is used to establish a connection with the computer;
所述计算机包括:The computers include:
第二接收模块,用于接收用户发起的关联请求和身份认证请求,接收所述第一发送模块发送的所述加密公钥和待验证数据;The second receiving module is configured to receive an association request and an identity authentication request initiated by a user, and receive the encrypted public key and data to be verified sent by the first sending module;
设置模块,用于在接收到所述关联请求时在所述签名Key和授权Key中设置所述签名Key的所述外部认证密钥;A setting module, configured to set the external authentication key of the signature key in the signature key and the authorization key when the association request is received;
获取模块,用于在接收到身份认证请求时从所述签名Key中获取第二随机数和所述签名Key的序列号;An acquisition module, configured to acquire a second random number and a serial number of the signature Key from the signature Key when an identity authentication request is received;
第二发送模块,用于在关联时将接收到的加密公钥发送给所述签名Key;在认证时将获取的所述签名Key的序列号和第二随机数发送给所述授权Key,将接收到的所述待验证数据发送给所述签名Key;The second sending module is configured to send the received encryption public key to the signature Key during association; to send the acquired serial number and the second random number of the signature Key to the authorization Key during authentication, and The received data to be verified is sent to the signature Key;
第二接口模块,用于与所述授权Key和签名Key建立连接;The second interface module is used to establish a connection with the authorization Key and the signature Key;
所述签名Key包括:The signature Key includes:
第三接收模块,用于接收所述第二发送模块发送的加密公钥和待验证数据;A third receiving module, configured to receive the encrypted public key and the data to be verified sent by the second sending module;
第二存储模块,用于存储所述外部认证密钥、所述签名Key的序列号、所述第二随机数和接收到的所述加密公钥;A second storage module, configured to store the external authentication key, the serial number of the signature Key, the second random number and the received encrypted public key;
验证模块,用于使用存储的所述加密公钥和外部认证密钥对接收到的所述待验证数据进行验证;a verification module, configured to use the stored encrypted public key and external authentication key to verify the received data to be verified;
第三接口模块,用于与计算机建立连接。The third interface module is used to establish a connection with the computer.
其中,所述设置模块包括:生成单元,用于生成外部认证密钥;发送单元,用于将所述外部认证密钥发送给所述授权Key和签名Key。Wherein, the setting module includes: a generating unit for generating an external authentication key; a sending unit for sending the external authentication key to the authorization key and signature key.
其中,所述授权Key还包括第一生成模块,所述签名Key还包括第二生成模块,所述第一生成模块用于生成第一随机串,所述第二生成模块用于生成第二随机串;所述设置模块还包括获取单元;所述获取单元用于从所述第一生成模块和第二生成模块中分别获取所述第一随机串和第二随机串;所述生成单元具体用于将所述获取的第一随机串和第二随机串进行拼接或合并生成所述外部认证密钥。Wherein, the authorization key also includes a first generation module, and the signature key also includes a second generation module, the first generation module is used to generate a first random string, and the second generation module is used to generate a second random string string; the setting module also includes an acquisition unit; the acquisition unit is used to obtain the first random string and the second random string from the first generation module and the second generation module respectively; the generation unit is specifically used The external authentication key is generated by splicing or merging the acquired first random string and second random string.
其中,所述设置模块包括:获取单元,用于在接收到关联请求时从所述第二存储模块中获取所述外部认证密钥;发送单元,用于将所述获取到的所述外部认证密钥发送给所述第一存储模块。Wherein, the setting module includes: an obtaining unit, configured to obtain the external authentication key from the second storage module when an association request is received; a sending unit, configured to transfer the obtained external authentication key The key is sent to the first storage module.
其中,所述设置模块包括:获取单元,用于在接收到关联请求时从所述第一存储模块中获取所述外部认证密钥;发送单元,用于将所述获取到的所述外部认证密钥发送给所述第二存储模块。Wherein, the setting module includes: an obtaining unit, configured to obtain the external authentication key from the first storage module when an association request is received; a sending unit, configured to transfer the obtained external authentication key The key is sent to the second storage module.
其中,所述设置模块的获取单元还用于在接收到关联请求时从所述第二存储模块中获取所述签名Key的序列号;发送单元还用于将所述获取到的所述签名Key的序列号发送给所述第一存储模块;所述第一存储模块还用于存储所述签名Key的序列号。Wherein, the obtaining unit of the setting module is also used to obtain the serial number of the signature Key from the second storage module when receiving the association request; the sending unit is also used to transfer the obtained signature Key The serial number of the signature key is sent to the first storage module; the first storage module is also used to store the serial number of the signature key.
其中,所述授权Key还包括第一生成模块,用于根据公钥加密算法生成所述加密公钥和加密私钥。Wherein, the authorization key further includes a first generating module, configured to generate the encrypted public key and encrypted private key according to a public key encryption algorithm.
其中,所述第一生成模块还用于生成第一随机数。Wherein, the first generation module is also used to generate a first random number.
其中,所述计算机还包括第二加密模块;第二接收模块还用于接收用户输入的授权Key的PIN码;所述获取模块还用于从授权Key中获取第一随机数;所述第二加密模块用于使用所述接收到的用户输入的授权Key的PIN码对所述获取到的第一随机数进行加密,生成第一加密数据;所述第二发送模块还用于将所述第一加密数据发送给所述第一接收模块;所述授权Key还包括第一加密模块和第一判断模块;所述第一接收模块还用于接收第二发送模块发送的第一加密数据;所述第一存储模块还用于存储第一随机数和授权Key的PIN码;所述第一加密模块用于使用存储的所述授权Key的PIN码对存储的所述第一随机数进行加密生成第二加密数据;所述第一判断模块用于判断所述第二加密数据与接收到的所述第一加密数据是否相同。Wherein, the computer also includes a second encryption module; the second receiving module is also used to receive the PIN code of the authorization key input by the user; the acquisition module is also used to obtain the first random number from the authorization key; the second The encryption module is used to encrypt the obtained first random number by using the received PIN code of the authorization key input by the user to generate first encrypted data; the second sending module is also used to send the first random number An encrypted data is sent to the first receiving module; the authorization Key also includes a first encryption module and a first judgment module; the first receiving module is also used to receive the first encrypted data sent by the second sending module; The first storage module is also used to store the first random number and the PIN code of the authorization key; the first encryption module is used to encrypt and generate the stored first random number using the stored PIN code of the authorization key Second encrypted data; the first judging module is used to judge whether the second encrypted data is the same as the received first encrypted data.
其中,所述计算机还包括第二判断模块,用于判断是否有授权Key与所述计算机连接。Wherein, the computer further includes a second judging module for judging whether an authorized Key is connected to the computer.
其中,所述签名模块包括:第一计算单元,用于使用查找到的所述外部认证密钥对存储的所述第二随机数进行计算生成第一计算结果;签名单元,用于使用所述存储的加密私钥对所述第一计算结果进行签名生成待验证数据。Wherein, the signature module includes: a first calculation unit, configured to use the found external authentication key to calculate the stored second random number to generate a first calculation result; a signature unit, configured to use the The stored encrypted private key signs the first calculation result to generate data to be verified.
其中,所述验证模块包括:解密单元,用于使用存储的所述加密公钥对接收到的所述待验证数据进行解密;第二计算单元,用于使用存储的所述外部认证密钥对存储的所述第二随机数进行计算,生成第二计算结果;判断单元,用于判断解密成功得到的解密结果与所述第二计算结果是否相同。Wherein, the verification module includes: a decryption unit, configured to use the stored encrypted public key to decrypt the received data to be verified; a second calculation unit, configured to use the stored external authentication key pair The stored second random number is calculated to generate a second calculation result; the judging unit is configured to judge whether the decryption result obtained through successful decryption is the same as the second calculation result.
其中,所述第一计算单元具体用于使用查找到的所述外部认证密钥对存储的所述第二随机数进行加密计算生成第一计算结果。Wherein, the first calculation unit is specifically configured to use the found external authentication key to encrypt and calculate the stored second random number to generate a first calculation result.
其中,所述第一发送单元还用于发送所述第一计算结果;所述第二接收模块还用于接收所述第一计算结果,所述第二发送模块还用于将接收到的所述第一计算结果发送给第三接收模块;所述第三接收模块还用于接收所述第一计算结果。Wherein, the first sending unit is also used to send the first calculation result; the second receiving module is also used to receive the first calculation result, and the second sending module is also used to send the received The first calculation result is sent to a third receiving module; the third receiving module is also configured to receive the first calculation result.
其中,所述验证模块包括:解密单元,用于使用存储的所述加密公钥对接收到的所述待验证数据进行解密;判断单元,用于判断解密成功得到的解密结果与所述接收到的第一计算结果是否相同。Wherein, the verification module includes: a decryption unit, configured to decrypt the received data to be verified by using the stored encrypted public key; Whether the first calculation result of is the same.
其中,所述验证模块包括:第一解密单元,用于使用存储的所述加密公钥对接收到的所述待验证数据进行解密;第二解密单元,用于使用存储的所述外部认证密钥对第一解密单元解密成功得到的结果进行解密;判断单元,用于判断所述第二解密单元解密成功得到的解密结果与存储的所述第二随机数是否相同。Wherein, the verification module includes: a first decryption unit, configured to use the stored encrypted public key to decrypt the received data to be verified; a second decryption unit, configured to use the stored external authentication key The key decrypts the result successfully decrypted by the first decryption unit; the judging unit is configured to judge whether the decrypted result successfully decrypted by the second decryption unit is the same as the stored second random number.
其中,所述签名Key还包括第三发送模块,用于在验证通过时给所述计算机发送验证通过提示信息。Wherein, the signature Key further includes a third sending module, configured to send verification passing prompt information to the computer when the verification is passed.
其中,所述授权Key还包括更新模块,所述签名Key还包括解密模块和替换模块;所述第二接收模块还用于接收所述第一发送模块发送的加密结果,接收第三发送模块发送的验证成功信息;所述获取模块还用于从所述签名Key中获取第三随机数和签名Key的序列号;所述第二发送模块还用于将获取到的所述第三随机数和签名Key的序列号发送给所述第一接收模块,将接收到的所述验证成功信息发送给所述更新模块,用于将接收到的所述加密结果发送给所述第三接收模块;所述第一接收模块还用于接收所述第二发送模块发送的所述第三随机数和签名Key的序列号;所述第一存储模块还用于存储第三随机数;所述查找单元还用于根据接收到的所述签名Key的序列号在所述第一存储模块中查找对应的外部认证密钥;所述第一加密模块还用于根据所述第一存储模块中的加密私钥对接收到的所述第三随机数进行加密;所述更新模块用于在接收到验证成功信息后,将所述第一存储模块中的外部认证密钥更新为所述第三随机数;第一发送模块还用于将所述第一加密模块中的加密结果发送给所述第二接收模块;所述第三接收模块还用于接收所述第二发送模块发送的加密结果;所述第二存储模块还用存储第三随机数;所述解密模块用于使用所述第二存储模块中的所述加密公钥对接收到的所述加密结果进行解密;所述替换模块用于在所述解密模块解密成功时将所述第二存储模块中的外部认证密钥替换为所述第三随机数;所述第三发送模块还用于在所述解密模块解密成功时向所述第二接收模块发送验证成功信息。Wherein, the authorization Key also includes an update module, and the signature Key also includes a decryption module and a replacement module; the second receiving module is also used to receive the encryption result sent by the first sending module, and receive the encryption result sent by the third sending module. The verification success information; The acquisition module is also used to obtain the third random number and the serial number of the signature Key from the signature Key; The second sending module is also used to obtain the third random number and The serial number of the signature Key is sent to the first receiving module, and the received verification success information is sent to the update module, for sending the received encryption result to the third receiving module; The first receiving module is also used to receive the third random number and the serial number of the signature Key sent by the second sending module; the first storage module is also used to store the third random number; the search unit is also It is used to search the corresponding external authentication key in the first storage module according to the received serial number of the signature Key; the first encryption module is also used to search the corresponding external authentication key according to the encrypted private key in the first storage module Encrypting the received third random number; the update module is configured to update the external authentication key in the first storage module to the third random number after receiving the successful verification information; A sending module is also used to send the encryption result in the first encryption module to the second receiving module; the third receiving module is also used to receive the encryption result sent by the second sending module; the first The second storage module is also used to store a third random number; the decryption module is used to use the encryption public key in the second storage module to decrypt the received encryption result; the replacement module is used to When the decryption module successfully decrypts, replace the external authentication key in the second storage module with the third random number; the third sending module is also used to send the second random number to the second The receiving module sends verification success information.
本发明与现有技术相比,具有以下优点:Compared with the prior art, the present invention has the following advantages:
本发明实现了授权Key与签名Key一对一或一对多的关联,签名Key通过授权Key认证来取得签名权限,签名Key在授权Key对其身份认证通过后,才能对每笔交易的数据进行签名,从而确保银企交易的真实性,合法性;本发明提供的方法只要签名Key不拔出或认证的计算机重启,就不需要再次对签名Key进行认证,简化多次进行签名操作的繁琐操作。The present invention realizes the one-to-one or one-to-many association between the authorization Key and the signature Key. The signature Key obtains the signature authority through the authentication of the authorization Key. signature, thereby ensuring the authenticity and legitimacy of bank-enterprise transactions; as long as the signature Key is not pulled out or the certified computer is restarted in the method provided by the invention, the signature Key does not need to be authenticated again, which simplifies the cumbersome operation of multiple signature operations .
附图说明 Description of drawings
图1为本发明实施例一提供的一种授权认证方法流程图;FIG. 1 is a flowchart of an authorization authentication method provided by Embodiment 1 of the present invention;
图2为本发明实施例二提供的又一种授权认证方法的关联过程的流程图;FIG. 2 is a flow chart of an association process of another authorization authentication method provided in Embodiment 2 of the present invention;
图3为本发明实施例二提供的又一种授权认证方法的认证过程的流程图;FIG. 3 is a flowchart of an authentication process of another authorization authentication method provided in Embodiment 2 of the present invention;
图4为本发明实施例二提供的又一种授权认证方法中的认证过程结束后授权Key和签名Key同时更新外部认证密钥的流程图;FIG. 4 is a flow chart of simultaneously updating the external authentication key by the authorization Key and the signature Key in yet another authorization authentication method provided by Embodiment 2 of the present invention after the authentication process ends;
图5为本发明实施例三提供的一种授权认证系统的方框图;FIG. 5 is a block diagram of an authorization authentication system provided by Embodiment 3 of the present invention;
图6为本发明实施例四提供的另一种授权认证系统的方框图。FIG. 6 is a block diagram of another authorization authentication system provided by Embodiment 4 of the present invention.
具体实施方式 Detailed ways
为更近一步阐述本发明为达成预订目的所采取的技术手段及功效,以下结合附图及较佳实施例,对依据本发明提出的一种授权认证方法及系统,其具体实施方式、特征及功效,说明如后。In order to further explain the technical means and effects of the present invention to achieve the purpose of booking, the following is combined with the accompanying drawings and preferred embodiments to describe an authorization authentication method and system according to the present invention, its specific implementation, features and Efficacy, as described below.
实施例一Embodiment one
本实施例提供了一种授权认证方法,是在签名Key插入到计算机上时进行的,签名Key与签名Key进行一对多的关联,如图1所示,该方法中授权Key与签名Key建立关联的过程包括S101-S107;This embodiment provides a kind of authorized authentication method, is carried out when signature Key is inserted on the computer, and signature Key carries out one-to-many association with signature Key, as shown in Figure 1, authorization Key and signature Key are established in this method The associated process includes S101-S107;
S101:第一计算机接收到关联请求,判断是否有授权Key与该第一计算机连接,是则执行S102,否则结束;S101: The first computer receives the association request, and judges whether there is an authorization key connected to the first computer, if yes, execute S102, otherwise end;
S102:第一计算机从签名Key中获取序列号;S102: the first computer obtains the serial number from the signature Key;
具体的,在本实施例中,序列号的长度为事先约定的12位,该序列号作为外部认证密钥的ID;Specifically, in this embodiment, the length of the serial number is 12 bits agreed in advance, and the serial number is used as the ID of the external authentication key;
S103:第一计算机设置所述签名Key的外部认证密钥,如果设置成功则执行步骤104,否则结束;S103: The first computer sets the external authentication key of the signature key, if the setting is successful, execute step 104, otherwise end;
优选地,在本实施例中,S103之前还包括Preferably, in this embodiment, S103 also includes
S103’:第一计算机对所述签名key进行身份验证,验证通过则继续,否则结束;S103': The first computer performs identity verification on the signature key, if the verification is passed, continue, otherwise end;
优选地,在本实施例中,所述第一计算机设置签名Key的外部认证密钥具体为:Preferably, in this embodiment, the external authentication key of the signature key set by the first computer is specifically:
S103-1:第一计算机生成预定长度的随机串;S103-1: the first computer generates a random string of predetermined length;
S103-2:第一计算机将生成的随机串设为签名Key的外部认证密钥,将其发送给签名Key;S103-2: The first computer sets the generated random string as the external authentication key of the signature Key, and sends it to the signature Key;
除此之外,上述随机串还可以由签名Key或授权Key生成,第一计算机从签名Key或授权Key中获得随机串后,将获得的随机串设为签名Key的外部认证密钥;In addition, the above-mentioned random string can also be generated by the signature Key or the authorization Key. After the first computer obtains the random string from the signature Key or the authorization Key, it sets the obtained random string as the external authentication key of the signature Key;
上述随机串还可以由签名Key和授权Key分别生成随机子串,第一计算机从签名Key和授权Key分别获取各自生成的随机子串后,进行拼接、合并等变换生成外部认证密钥;The above-mentioned random strings can also be generated by the signature Key and the authorization Key respectively, and the first computer obtains the respective generated random substrings from the signature Key and the authorization Key, and performs transformations such as splicing and merging to generate an external authentication key;
外部认证密钥还可以为授权Key生成的随机数或预先设置的数值,第一计算机从授权Key中获取外部认证密钥;The external authentication key can also be a random number generated by the authorization key or a preset value, and the first computer obtains the external authentication key from the authorization key;
S104:第一计算机将获取的序列号和设置好的外部认证密钥发送给授权Key;S104: the first computer sends the obtained serial number and the set external authentication key to the authorization key;
S105:授权Key接收序列号和外部认证密钥并进行保存,授权Key与签名Key建立了关联;S105: The authorized Key receives the serial number and the external authentication key and stores them, and the authorized Key is associated with the signature Key;
S106:授权Key将加密公钥发送给第一计算机;S106: Authorize the Key to send the encrypted public key to the first computer;
S107:第一计算机接收加密公钥将其转发给签名Key;S107: The first computer receives the encrypted public key and forwards it to the signature Key;
具体的,在本实施例中,加密公钥与授权Key中内置的加密私钥相对应,加密私钥是授权Key白行生成的;除此之外,加密私钥也可以是事先导入到授权Key中的;Specifically, in this embodiment, the encryption public key corresponds to the encryption private key built into the authorization key, and the encryption private key is generated by the authorization key; in addition, the encryption private key can also be imported into the authorization key in advance. in Key;
S108:签名Key接收加密公钥并进行保存;S108: The signature Key receives the encrypted public key and saves it;
在本实施例中,如授权Key只与一个签名Key建立关联,也可以不获取签名Key的序列号。In this embodiment, if the authorization key is only associated with one signature key, the serial number of the signature key may not be obtained.
本实施例提供的方法中,利用授权Key对签名Key进行身份认证的过程如下:In the method provided in this embodiment, the process of using the authorization key to authenticate the signature key is as follows:
S109:第二计算机接收到身份认证请求后判断是否有授权Key与该第二计算机连接,是则执行S110,否则结束;S109: After receiving the identity authentication request, the second computer judges whether there is an authorized Key connected to the second computer, if yes, execute S110, otherwise end;
S110:第二计算机从签名Key中获取序列号;S110: the second computer obtains the serial number from the signature Key;
在本实施例中,如果授权Key只与一个签名Key建立了关联,也可不进行S110;In this embodiment, if the authorization key is only associated with one signature key, S110 may not be performed;
S111:第二计算机给签名Key下发“生成随机数”命令;S111: the second computer issues a "generate random number" command to the signature Key;
S112:签名Key接收到“生成随机数”命令后,生成预定长度的随机串并进行保存;S112: After the signature Key receives the "generate random number" command, generate a random string of predetermined length and save it;
S113:签名Key将生成的随机串发送给第二计算机;S113: The signature Key sends the generated random string to the second computer;
S114:第二计算机将获取到的序列号和接收到的随机串发给授权Key;S114: the second computer sends the obtained serial number and the received random string to the authorization key;
S115:授权Key接收序列号和随机串,并根据序列号查找对应的外部认证密钥,如找到则执行S116,如未找到则结束;S115: Authorize Key to receive the serial number and random string, and search for the corresponding external authentication key according to the serial number, if found, execute S116, if not found, end;
S115还可用S115’替换,S115 can also be replaced by S115',
S115’:授权Key接收序列号和随机串,并根据序列号查找对应的外部认证密钥,如找到则授权Key检查是否存储有专用私钥,如果是则执行S116,否则结束,如未找到则结束;S115': The authorized Key receives the serial number and random string, and searches for the corresponding external authentication key according to the serial number. If found, the authorized Key checks whether a dedicated private key is stored. If yes, execute S116, otherwise end, if not found, then Finish;
S116:授权Key用查找到的外部认证密钥对接收到的随机串加密,并用存储的加密私钥对加密结果进行签名;S116: The authorized key encrypts the received random string with the found external authentication key, and signs the encrypted result with the stored encrypted private key;
在本实施例中,加密所用的算法是事先约定的;优选地,在本实施例中,所述算法为3DES;除此之外,还可以为DES、AES等其他对称加密算法;In this embodiment, the algorithm used for encryption is pre-agreed; preferably, in this embodiment, the algorithm is 3DES; in addition, it can also be other symmetric encryption algorithms such as DES and AES;
S117:授权Key将加密结果和签名结果按照预定格式拼接后发给第二计算机;S117: Authorize the Key to concatenate the encryption result and the signature result according to a predetermined format and then send it to the second computer;
S118:第二计算机接收拼接后的加密结果和签名结果并转发给签名Key;S118: The second computer receives the spliced encryption result and signature result and forwards them to the signature Key;
S119:签名Key接收拼接后的加密结果和签名结果,并使用存储的加密公钥验证签名结果,如验证成功则执行步骤S120,如验证失败则结束;S119: Signature Key receives the spliced encryption result and signature result, and uses the stored encrypted public key to verify the signature result, if the verification is successful, execute step S120, and if the verification fails, end;
S119还可用S119’代替,S119 can also be replaced by S119',
S119’:签名Key接收拼接后的加密结果和签名结果,检查是否存储有加密公钥,如果存在则使用存储的加密公钥验证签名结果;如验证成功则执行步骤S120,如验证失败则结束;如不存在则结束;S119': Signature Key receives the spliced encryption result and signature result, checks whether the encryption public key is stored, and if it exists, uses the stored encryption public key to verify the signature result; if the verification is successful, execute step S120, and if the verification fails, end; end if not present;
S120:签名Key使用加密结果对签名Key进行身份认证;S120: The signature key uses the encryption result to authenticate the signature key;
在本实施例中,对签名Key进行身份认证的具体过程为:In this embodiment, the specific process of authenticating the signature Key is as follows:
签名Key使用内置的外部认证密钥对所述加密结果进行解密,如解密成功则判断解密结果与当前保存的随机串是否一致,如果是则身份认证通过;否则结束,如解密不成功则结束。The signature key uses the built-in external authentication key to decrypt the encrypted result. If the decryption is successful, it is judged whether the decrypted result is consistent with the currently saved random string. If yes, the identity authentication is passed;
除此之外,还可以为:In addition, it can also be:
签名Key利用内置的外部认证密钥对当前保存的随机串进行加密生成第二加密结果,判断第二加密结果与接收到的加密结果是否一致,如果是则身份认证通过;否则结束。The signature key uses the built-in external authentication key to encrypt the currently stored random string to generate a second encryption result, and judges whether the second encryption result is consistent with the received encryption result. If yes, the identity authentication is passed; otherwise, it ends.
在身份认证通过后,本实施例提供的方法还包括:签名Key清除当前保存的随机串。After the identity authentication is passed, the method provided by this embodiment further includes: clearing the currently stored random string of the signature Key.
在本实施例中,授权Key和签名Key还可同步更新外部认证密钥,具体更新过程与关联过程相同,其中签名Key的身份认证过程与上述认证过程相同,在此不再赘述。In this embodiment, the authorization key and the signature key can also update the external authentication key synchronously. The specific update process is the same as the association process, and the identity authentication process of the signature key is the same as the above authentication process, which will not be repeated here.
实施例二Embodiment two
本发明实施例二提供的一种授权认证方法,包括关联过程和认证过程,具体实现技术方案为:授权Key和签名Key通过计算机进行数据传输,授权Key的PIN验证通过后,授权Key与签名Key进行一对多的关联,关联后,使用签名Key进行操作时需要事先由授权Key对签名Key的进行身份认证,认证通过后才能使用签名Key进行操作。An authorization authentication method provided by Embodiment 2 of the present invention includes an association process and an authentication process. The specific implementation technical solution is: the authorization key and the signature key are transmitted through the computer, and after the PIN verification of the authorization key is passed, the authorization key and the signature key Perform one-to-many association. After association, when using the signature key to operate, the signature key needs to be authenticated by the authorization key in advance. After the authentication is passed, the signature key can be used for operation.
本实施例中的第一计算机包括终端与设置在其内部的关联程序。参见图2,关联过程具体包括:The first computer in this embodiment includes a terminal and associated programs installed inside it. Referring to Figure 2, the association process specifically includes:
S201:第一计算机接收到关联请求,判断是否有授权Key和签名Key与第一计算机连接,是则执行S202,否则结束;S201: The first computer receives the association request, and judges whether there is an authorization key and a signature key connected to the first computer, if yes, execute S202, otherwise end;
S202:第一计算机从签名Key中获取外部认证密钥和序列号;S202: the first computer obtains the external authentication key and serial number from the signature Key;
在本实施例中,外部认证密钥为对称密钥,是签名Key随机产生的随机数或预先设置的数值,优选的,外部认证密钥是签名Key随机产生的随机数;In this embodiment, the external authentication key is a symmetric key, which is a random number or a preset value randomly generated by the signature Key. Preferably, the external authentication key is a random number randomly generated by the signature Key;
具体的,在本实施例中的外部认证密钥为8位,序列号为12位,该序列号作为外部认证密钥的ID;Specifically, the external authentication key in this embodiment is 8 bits, and the serial number is 12 bits, and the serial number is used as the ID of the external authentication key;
S203:第一计算机将序列号和外部认证密钥发送给授权Key;S203: the first computer sends the serial number and the external authentication key to the authorization key;
S204:授权Key接收序列号和外部认证密钥并进行保存;S204: The authorization Key receives the serial number and the external authentication key and saves them;
S205:授权Key将加密公钥导出并发送给第一计算机;S205: Authorize the Key to export the encrypted public key and send it to the first computer;
具体的,在本实施例中,授权Key的加密公钥、加密私钥和签名Key的序列号是一一对应的;Specifically, in this embodiment, the encryption public key of the authorization key, the encryption private key and the serial number of the signature key are in one-to-one correspondence;
在本实施例中,加密公钥是通过RSA加密算法产生的或预先存储的,优选的,本实施例的加密公钥是通过RSA加密算法得到的,加密私钥存储在授权Key中不导出;In this embodiment, the encrypted public key is generated or pre-stored by the RSA encryption algorithm. Preferably, the encrypted public key in this embodiment is obtained by the RSA encryption algorithm, and the encrypted private key is stored in the authorized Key and is not exported;
S206:第一计算机接收加密公钥并转发给签名Key;S206: The first computer receives the encrypted public key and forwards it to the signature Key;
S207:签名Key接收加密公钥并进行保存;S207: The signature Key receives the encrypted public key and saves it;
在身份认证过程中,外部认证密钥当作签名Key的PIN码。During identity authentication, the external authentication key is used as the PIN code of the signature key.
在本实施例中的第二计算机(即前置机)包括终端和终端上的软件程序,本实施例提供的方法中的认证过程如图3所示,具体包括:In this embodiment, the second computer (i.e., the front-end processor) includes a terminal and a software program on the terminal. The authentication process in the method provided by this embodiment is shown in Figure 3, specifically including:
S301:第二计算机接收到身份认证请求,判断是否有授权Key和签名Key与第二计算机连接,是则执行步骤S302,否则结束;S301: The second computer receives the identity authentication request, and judges whether there is an authorization key and a signature key connected to the second computer, if yes, execute step S302, otherwise end;
S302:第二计算机从授权Key中获取第一随机数;S302: The second computer obtains the first random number from the authorization Key;
具体的,在本实施例中,第一随机数是授权Key随机生成的或预先存储的,具体的,在本实施例中第一随机数是随机生成的,授权Key对产生的第一随机数进行备份;Specifically, in this embodiment, the first random number is randomly generated or pre-stored by the authorized Key. Specifically, in this embodiment, the first random number is randomly generated, and the first random number generated by the authorized Key pair make a backup;
S303:第二计算机接收用户输入的授权Key的PIN码,并使用其对获取到的第一随机数进行加密,生成第一加密数据;S303: The second computer receives the PIN code of the authorization key input by the user, and uses it to encrypt the obtained first random number to generate first encrypted data;
具体的,在本实施例中,授权Key的PIN码设置为8位;Specifically, in this embodiment, the PIN code of the authorized Key is set to 8 digits;
S304:第二计算机将第一加密数据发送给授权Key;S304: The second computer sends the first encrypted data to the authorization key;
S305:授权Key接收第一加密数据,使用其存储的PIN码对备份的第一随机数进行加密,生成第二加密数据;S305: Authorize the Key to receive the first encrypted data, use the stored PIN code to encrypt the backup first random number, and generate the second encrypted data;
S306:授权Key判断第一加密数据与第二加密数据是否相同,如相同,则对授权Key的验证通过,执行S307,如不同则结束S306: Authorize the Key to judge whether the first encrypted data is the same as the second encrypted data, if they are the same, pass the verification of the authorized Key, execute S307, and end if not
S307:授权Key给第二计算机返回验证通过信息;S307: Authorize the Key to return verification passing information to the second computer;
S308:第二计算机接收到验证通过信息后从签名Key中获取第二随机数和序列号;S308: The second computer obtains the second random number and the serial number from the signature Key after receiving the verification information;
具体的,签名Key中的第二随机数是随机产生的或预先存储的,优选的,在本实施例中,签名Key中的第二随机数是随机产生的,签名Key对产生的第二随机数进行备份;Specifically, the second random number in the signature Key is randomly generated or pre-stored. Preferably, in this embodiment, the second random number in the signature Key is randomly generated, and the second random number generated by the signature Key pair number for backup;
S309:第二计算机将第二随机数和序列号发送给授权Key;S309: the second computer sends the second random number and the serial number to the authorization key;
S310:授权Key接收第二随机数和序列号,并根据序列号查找对应的外部认证密钥,如找到则执行S311,如未找到则结束;S310: Authorize the Key to receive the second random number and serial number, and search for the corresponding external authentication key according to the serial number, if found, execute S311, and if not found, end;
S311:授权Key使用查找到的外部认证密钥对接收到的第二随机数进行计算得到第一计算结果,使用存储的加密私钥对第一计算结果进行签名生成待验证数据;S311: The authorization key uses the found external authentication key to calculate the received second random number to obtain a first calculation result, and uses the stored encrypted private key to sign the first calculation result to generate data to be verified;
优选的,在本实施例中,使用DES对接收到的第二随机数进行计算;具体的,使用3DES对第二随机数进行加密,得到8字节大小的第一计算结果,对第一计算结果进行pkcs1补位后进行签名,生成128字节大小的待验证数据;Preferably, in this embodiment, DES is used to calculate the received second random number; specifically, 3DES is used to encrypt the second random number to obtain the first calculation result of 8 bytes, and the first calculation As a result, sign after pkcs1 padding, and generate 128 bytes of data to be verified;
S312:授权Key将第一计算结果和待验证数据发送给第二计算机;S312: Authorize the Key to send the first calculation result and the data to be verified to the second computer;
S313:第二计算机接收第一计算结果和待验证数据并将其转发给签名Key;S313: The second computer receives the first calculation result and the data to be verified and forwards it to the signature Key;
S314:签名Key接收第一计算结果和待验证数据,使用存储的加密公钥对待验证数据进行验证,如验证通过则执行S315,如验证未通过则结束;S314: The signature Key receives the first calculation result and the data to be verified, uses the stored encrypted public key to verify the data to be verified, if the verification is passed, execute S315, and if the verification fails, then end;
S315:签名Key使用外部认证密钥对备份的第二随机数进行计算生成第二计算结果;S315: The signature Key uses the external authentication key to calculate the backup second random number to generate a second calculation result;
具体的,该步骤中的计算法则与S311中的计算法则一致,预先设置在签名Key和授权Key中;Specifically, the calculation rule in this step is consistent with the calculation rule in S311, which is preset in the signature Key and authorization Key;
S316:签名Key判断第二计算结果和接收到的第一计算结果是否一致,是则执行S317,否则结束;S316: Signature Key judges whether the second calculation result is consistent with the received first calculation result, if yes, execute S317, otherwise end;
在本实施例中,S312-S316可替换为S312’-S316’;In this embodiment, S312-S316 can be replaced by S312'-S316';
S312’:授权Key将待验证数据发送给第二计算机;S312': Authorize the Key to send the data to be verified to the second computer;
S313’:第二计算机接收待验证数据并将其转发给签名Key;S313': the second computer receives the data to be verified and forwards it to the signature Key;
S314’:签名Key接收待验证数据,使用存储的加密公钥对待验证数据进行验证,如验证通过则执行S315’,如验证失败则结束;S314': Signature Key receives the data to be verified, uses the stored encrypted public key to verify the data to be verified, if the verification is passed, execute S315', and if the verification fails, it ends;
S315’:签名Key使用外部认证密钥对备份的第二随机数进行计算生成第二计算结果;S315': The signature Key uses the external authentication key to calculate the backup second random number to generate a second calculation result;
该步骤中的计算法则与S311中的计算法则一致,预先设置在签名Key和授权Key中;优选的,使用加密算法;S314’和S315’顺序可调换;The calculation rule in this step is consistent with the calculation rule in S311, and is preset in the signature Key and the authorization Key; preferably, an encryption algorithm is used; the order of S314' and S315' can be exchanged;
S316’:签名Key判断第二计算结果与验证通过得到的结果是否一致,是则执行S317,否则结束;S316': Signature Key judges whether the second calculation result is consistent with the result obtained by passing the verification, if yes, execute S317, otherwise end;
在本实施例中,如S211中使用的是加密算法,则S315’和S316’还可替换为:In this embodiment, if an encryption algorithm is used in S211, then S315' and S316' can also be replaced by:
S315”:签名Key使用外部认证密钥对验证通过得到的结果进行解密,如解密成功得到第二解密结果,执行S316”,如解密失败则结束;S315": The signature Key uses the external authentication key to decrypt the result obtained by passing the verification. If the decryption is successful, the second decryption result is obtained, and S316" is executed. If the decryption fails, it ends;
S316”:签名Key判断第二解密结果与备份的第二随机数是否一致,如一致则执行S317,否则结束。S316": The signature Key judges whether the second decryption result is consistent with the second random number backed up, and if they are consistent, execute S317, otherwise end.
S317:签名Key给第二计算机返回验证通过提示信息。S317: Return the signature Key to the second computer to indicate that the verification is passed.
本实施例中,通过授权Key对签名Key进行关联,进行交易签名之前使用授权Key对签名Key的进行身份认证,认证通过后才能对交易信息进行签名操作,提高交易过程的安全性。In this embodiment, the signature key is associated with the authorization key, and the identity authentication of the signature key is performed using the authorization key before transaction signing, and the transaction information can be signed only after the authentication is passed, so as to improve the security of the transaction process.
在本实施例中,在授权Key对签名Key认证之后,授权Key和签名Key可同时更新外部认证密钥,如图4所示,包括:In this embodiment, after the authorization Key authenticates the signature Key, the authorization Key and the signature Key can update the external authentication key at the same time, as shown in Figure 4, including:
S401:第二计算机从签名key中获取第三随机数和签名Key的序列号;S401: the second computer obtains the third random number and the serial number of the signature key from the signature key;
S402:第二计算机将第三随机数和序列号发送给授权Key;S402: the second computer sends the third random number and serial number to the authorization key;
S403:授权Key接收第三随机数和序列号,根据序列号找到外部认证密钥;S403: The authorized Key receives the third random number and the serial number, and finds the external authentication key according to the serial number;
S404:授权Key备份第三随机数,并使用存储的加密私钥对第三随机数进行加密;S404: Authorize the Key to back up the third random number, and use the stored encrypted private key to encrypt the third random number;
S405:授权Key将加密结果返回给第二计算机;S405: Authorize the Key to return the encryption result to the second computer;
S406:第二计算机将加密结果发送给签名key;S406: The second computer sends the encryption result to the signature key;
S407:签名Key接收加密结果,并使用存储的加密公钥对加密结果进行解密,如解密成功,则执行S408,如解密失败则结束;S407: The signature Key receives the encrypted result, and uses the stored encrypted public key to decrypt the encrypted result. If the decryption is successful, execute S408. If the decryption fails, end;
具体的,在本实施例中,签名Key存储的公钥与授权的自身私钥一一对应;Specifically, in this embodiment, the public key stored in the signature key has a one-to-one correspondence with the authorized private key;
S408:签名Key将外部认证密钥替换为第三随机数;S408: The signature Key replaces the external authentication key with a third random number;
S409:签名Key给第二计算机返回验证通过信息;S409: return the signature Key to the second computer to pass the verification information;
S410:第二计算机接收验证通过信息并转发给授权Key;S410: The second computer receives the verification information and forwards it to the authorization key;
S411:授权Key接收到验证通过信息后将存储的外部认证密钥更新为备份的第三随机数。S411: The authorization key updates the stored external authentication key to the backup third random number after receiving the verification passing information.
本实施例中,授权Key对签名Key认证通过后,只要签名KEY不被拔除或第二计算机不重启,再有签名请求时签名Key直接进行签名操作,简化对签名Key的PIN码的验证过程;即使签名Key移动到其它PC,因没有授权KEY的配合,也无法进行操作,提高了交易签名操作的安全性。In this embodiment, after the signature key is authenticated by the authorized key, as long as the signature key is not removed or the second computer is not restarted, the signature key directly performs the signature operation when there is a signature request, which simplifies the verification process of the PIN code of the signature key; Even if the signature key is moved to another PC, it cannot be operated without the cooperation of the authorized key, which improves the security of the transaction signature operation.
实施例三Embodiment Three
本发明实施例三提供了一种授权认证系统,如图5所示,包括:授权Key3、计算机2和签名Key1;Embodiment 3 of the present invention provides an authorization authentication system, as shown in FIG. 5 , including: authorization Key3, computer 2 and signature Key1;
授权Key1具体包括:Authorization Key1 specifically includes:
第一接收模块11,用于在关联时接收计算机发送的签名Key的序列号和外部认证密钥,在认证时接收计算机发送的第一加密数据、签名Key的序列号和第二随机数;The first receiving module 11 is used to receive the serial number and the external authentication key of the signature Key sent by the computer during association, and receive the first encrypted data, the serial number and the second random number of the signature Key sent by the computer during authentication;
第一生成模块12,用于根据RSA加密算法()生成加密公钥和加密私钥,还用于生成第一随机数和/或随机串;The first generating module 12 is used to generate an encrypted public key and an encrypted private key according to the RSA encryption algorithm (), and is also used to generate the first random number and/or random string;
第一存储模块13,用于存储加密公钥和加密私钥,关联时接收到的签名Key的序列号、外部认证密钥,认证时接收到的第二随机数;还用于存储第一随机数和授权Key的PIN码;The first storage module 13 is used to store the encrypted public key and encrypted private key, the serial number of the signature Key received during association, the external authentication key, and the second random number received during authentication; it is also used to store the first random number number and the PIN code of the authorized Key;
本实施例中,加密公钥、加密私钥和/或第一随机数是第一生成模块12随机生成的,或预先设置的;签名Key的序列号与加密公钥、加密私钥一一对应;外部认证密钥是随机生成的或预先设置好的;In this embodiment, the encryption public key, the encryption private key and/or the first random number are randomly generated by the first generation module 12, or preset; the serial number of the signature Key corresponds to the encryption public key and the encryption private key one by one ;The external authentication key is randomly generated or preset;
查找模块14,用于根据在认证时接收到的序列号查找对应存储的外部认证密钥;A search module 14, configured to search for a correspondingly stored external authentication key according to the serial number received during authentication;
第一加密模块15,用于使用存储的授权Key的PIN码对存储的第一随机数进行加密生成第二加密数据;The first encryption module 15 is used to encrypt the first random number stored using the PIN code of the stored authorization Key to generate the second encrypted data;
第一判断模块16,用于判断接收到的第一加密数据与计算得到的第二加密数据是否相同;The first judging module 16 is used to judge whether the received first encrypted data is the same as the calculated second encrypted data;
签名模块17,包括:Signature module 17, including:
第一计算单元171,用于使用查找到的外部认证密钥对存储的第二随机数进行计算生成第一计算结果;The first calculation unit 171 is configured to use the found external authentication key to calculate the stored second random number to generate a first calculation result;
签名单元172,用于使用存储的加密私钥对计算得到的第一计算结果进行签名生成待验证数据;A signature unit 172, configured to use the stored encrypted private key to sign the calculated first calculation result to generate data to be verified;
第一发送模块18,用于向计算机2发送加密公钥、待验证数据和第一判断模块16判断相同时生成的验证通过信息;The first sending module 18 is used to send the encryption public key, the data to be verified and the verification passing information generated when the first judging module 16 judges the same to the computer 2;
第一接口模块19,用于与计算机2建立连接;The first interface module 19 is used to establish a connection with the computer 2;
计算机2具体包括:Computer 2 specifically includes:
第二接收模块21,用于接收用户发起的关联请求、身份认证请求、用户输入的授权Key的PIN码,接收签名Key发送的验证通过提示信息,接收第一发送模块18发送的加密公钥、验证通过信息待验证数据;The second receiving module 21 is used to receive the association request initiated by the user, the identity authentication request, the PIN code of the authorization key input by the user, receive the verification passing prompt information sent by the signature key, receive the encrypted public key sent by the first sending module 18, Verification passed information to be verified data;
第二判断模块22,用于判断是否有授权Key1和签名Key3与计算机2连接;The second judging module 22 is used to judge whether the authorized Key1 and the signature Key3 are connected with the computer 2;
获取模块23,用于在接收到身份认证请求时从签名Key中获取第二随机数和签名Key的序列号;还用于从授权Key中获取第一随机数;The obtaining module 23 is used to obtain the second random number and the serial number of the signature Key from the signature Key when receiving the identity authentication request; it is also used to obtain the first random number from the authorization Key;
第二加密模块24,用于使用接收到的用户输入的PIN码对获取到的第一随机数进行加密生成第一加密数据;The second encryption module 24 is used to encrypt the first random number obtained by using the received PIN code input by the user to generate the first encrypted data;
设置模块25,用于在接收到所述关联请求时在所述签名Key和授权Key中设置所述签名Key的所述外部认证密钥;A setting module 25, configured to set the external authentication key of the signature key in the signature key and the authorization key when the association request is received;
在本实施例中,设置模块25包括:In this embodiment, the setting module 25 includes:
生成单元251,用于生成外部认证密钥;A generating unit 251, configured to generate an external authentication key;
发送单元252,用于将生成的外部认证密钥发送给第一接收模块11和签名Key;A sending unit 252, configured to send the generated external authentication key to the first receiving module 11 and the signature Key;
设置模块25还包括获取单元253,用于从第一生成模块12和第二生成模块32中分别获取随机串,还用于从第二存储模块33中获取签名Key的序列号;The setting module 25 also includes an acquisition unit 253, which is used to obtain random strings from the first generation module 12 and the second generation module 32, and is also used to obtain the serial number of the signature Key from the second storage module 33;
生成单元251具体用于将获取的随机串进行拼接或合并生成外部认证密钥;The generating unit 251 is specifically configured to splice or combine the obtained random strings to generate an external authentication key;
或,设置模块25包括:Or, setting module 25 includes:
获取单元,用于在接收到关联请求时从第二存储模块33或第一存储模块13中获取外部认证密钥;An obtaining unit, configured to obtain the external authentication key from the second storage module 33 or the first storage module 13 when the association request is received;
发送单元,用于将获取到的外部认证密钥发送给第一存储模块13或第二存储模块33。The sending unit is configured to send the obtained external authentication key to the first storage module 13 or the second storage module 33 .
第二发送模块26,用于在关联时向第一接收模块11发送获取到的签名Key的序列号和外部认证密钥,向签名Key发送接收到的加密公钥;在认证时向第一接收模块11发送第一加密数据、获取到的第二随机数和签名Key的序列号,向签名Key发送待验证数据;The second sending module 26 is used to send the serial number and the external authentication key of the signature Key obtained to the first receiving module 11 during association, and send the encrypted public key received to the signature Key; Module 11 sends the first encrypted data, the obtained second random number and the serial number of the signature Key, and sends the data to be verified to the signature Key;
第二接口模块27,用于与授权Key1和签名Key3建立连接;The second interface module 27 is used to establish a connection with the authorization Key1 and the signature Key3;
签名Key3具体包括:Signature Key3 specifically includes:
第三接收模块31,用于接收第二发送模块25发送的加密公钥和待验证数据;The third receiving module 31 is configured to receive the encrypted public key and the data to be verified sent by the second sending module 25;
第二生成模块32,用于生成外部认证密钥、第二随机数,还用于生成随机串;The second generation module 32 is used to generate an external authentication key, a second random number, and also to generate a random string;
第二存储模块33,用于存储接收到的加密公钥、签名Key3的序列号,生成的第二随机数、外部认证密钥;The second storage module 33 is used to store the received encrypted public key, the serial number of the signature Key3, the second random number generated, and the external authentication key;
具体的,在本实施例中,第二随机数和外部认证密钥是第二生成模块32随机生成的,或预先设置的;Specifically, in this embodiment, the second random number and the external authentication key are randomly generated by the second generating module 32, or are preset;
验证模块34,用于使用存储的所述加密公钥和外部认证密钥对接收到的所述待验证数据进行验证,具体包括:The verification module 34 is configured to use the stored encrypted public key and external authentication key to verify the received data to be verified, specifically including:
解密单元341,用于使用存储的加密公钥对接收到的待验证数据进行解密;Decryption unit 341, configured to use the stored encrypted public key to decrypt the received data to be verified;
第二计算单元342,用于使用存储的外部认证密钥对存储的第二随机数进行计算生成第二计算结果;The second calculation unit 342 is configured to use the stored external authentication key to calculate the stored second random number to generate a second calculation result;
具体的,在本实施例中,第二计算单元342和第一计算单元171使用的算法相同;Specifically, in this embodiment, the algorithm used by the second calculation unit 342 and the first calculation unit 171 are the same;
判断单元343,用于判断解密单元341解密成功得到的解密结果与第二计算结果是否相同。The judging unit 343 is configured to judge whether the decryption result successfully obtained by the decryption unit 341 is the same as the second calculation result.
第三发送模块35,用于在判断单元343判断相同时向第二接收模块21发送验证通过提示信息;The third sending module 35 is configured to send a verification passing prompt message to the second receiving module 21 when the judging unit 343 judges that they are the same;
第三接口模块36,用于与计算机2建立连接。The third interface module 36 is used to establish a connection with the computer 2 .
在本实施例中,签名Key中的验证模块34还有其他实现方式,In this embodiment, the verification module 34 in the signature Key also has other implementations,
方式一:授权Key中的第一发送模块18用于将第一计算结果和待验证数据发送给计算机2;签名Key中的第三接收模块31用于接收到待验证数据和第一计算结果,验证模块34包括:解密单元,用于使用存储的加密公钥对接收到的待验证数据进行解密;判断单元,用于判断解密成功得到的解密结果与所述接收到的第一计算结果是否相同。Mode 1: the first sending module 18 in the authorization key is used to send the first calculation result and the data to be verified to the computer 2; the third receiving module 31 in the signature key is used to receive the data to be verified and the first calculation result, The verification module 34 includes: a decryption unit, which is used to decrypt the received data to be verified by using the stored encryption public key; a judgment unit, which is used to judge whether the decryption result obtained by decryption is the same as the received first calculation result .
方式二:签名Key中的验证模块34包括第一解密单元、第二解密单元和判断单元;第一解密单元用于使用存储的加密公钥对接收到的待验证数据进行解密;第二解密单元用于使用存储的外部认证密钥对第一解密单元的解密成功的结果进行解密;判断单元用于判断第二解密单元的解密成功的结果与存储的第二随机数是否相同。Mode 2: the verification module 34 in the signature Key includes a first decryption unit, a second decryption unit and a judging unit; the first decryption unit is used to decrypt the received data to be verified using the stored encryption public key; the second decryption unit It is used to decrypt the successful decryption result of the first decryption unit by using the stored external authentication key; the judging unit is used to judge whether the successful decryption result of the second decryption unit is the same as the stored second random number.
本实施例提供的系统是采用软硬件结合的方式实现的,硬件采用高性能智能卡芯片封装的签名Key和授权Key,负责存储企业证书,软件为与硬件USBKey通讯的应用软件设置在计算机中,在银行实现签名Key和授权Key的关联,在企业端进行签名时需使用授权Key对签名Key的身份进行认证,验证通过后才能进行签名操作,大大提高签名操作的安全性。The system provided by this embodiment is realized by combining software and hardware. The hardware adopts the signature Key and authorization Key encapsulated by a high-performance smart card chip, and is responsible for storing the enterprise certificate. The software is set in the computer for the application software communicating with the hardware USBKey. The bank implements the association between the signature key and the authorization key. When signing on the enterprise side, the authorization key needs to be used to authenticate the identity of the signature key. The signature operation can only be performed after the verification is passed, which greatly improves the security of the signature operation.
实施例四Embodiment four
参考图6,本发明实施例四提供了一种授权认证系统,本实施例提供的系统除了可以实现实施例三系统的授权认证功能外,还具有对授权Key和签名Key中的外部认证密钥同时更新的功能,如图6所示,在图5的基础上,授权Key还包括更新模块10,签名Key还包括解密模块37和替换模块38;Referring to Fig. 6, Embodiment 4 of the present invention provides an authorization authentication system. In addition to realizing the authorization authentication function of the system in Embodiment 3, the system provided in this embodiment also has an external authentication key for authorization Key and signature Key. The function of simultaneous update, as shown in Figure 6, on the basis of Figure 5, the authorization Key also includes the update module 10, and the signature Key also includes the decryption module 37 and the replacement module 38;
第二接收模块31还用于接收第一发送模块18发送的加密结果,接收第三发送模块35发送的验证成功信息;The second receiving module 31 is also used to receive the encryption result sent by the first sending module 18, and receive the verification success information sent by the third sending module 35;
获取模块23还用于从签名Key中获取第三随机数和签名Key的序列号;The obtaining module 23 is also used to obtain the third random number and the serial number of the signature Key from the signature Key;
第二发送模块26还用于将获取到的第三随机数和签名Key的序列号给第一接收模块,将接收到的验证成功信息发送给更新模块10,用于将接收到的加密结果发送给第三接收模块31;The second sending module 26 is also used to send the obtained third random number and the sequence number of the signature Key to the first receiving module, and send the received verification success information to the update module 10, for sending the received encryption result To the third receiving module 31;
第一接收模块11还用于接收第二发送模块26发送的第三随机数和签名Key的序列号、验证成功信息;The first receiving module 11 is also used to receive the third random number sent by the second sending module 26, the serial number of the signature Key, and the verification success information;
第一存储模块13还用于存储第三随机数;The first storage module 13 is also used for storing the third random number;
查找单元14还用于根据接收到的签名Key的序列号在第一存储模块13中查找对应的外部认证密钥;The search unit 14 is also used to search the corresponding external authentication key in the first storage module 13 according to the serial number of the received signature Key;
第一加密模块15还用于根据第一存储模块13中的加密私钥对接收到的第三随机数进行加密;The first encryption module 15 is also used for encrypting the third random number received according to the encryption private key in the first storage module 13;
更新模块10用于在接收到验证成功信息后,将第一存储模块13中的外部认证密钥替换为第三随机数;The update module 10 is configured to replace the external authentication key in the first storage module 13 with a third random number after receiving the verification success information;
第一发送模块18还用于将第一加密模块15中的加密结果发送给第二接收模块21;The first sending module 18 is also used to send the encryption result in the first encryption module 15 to the second receiving module 21;
第三接收模块31还用于接收第二发送模块26发送的加密结果;The third receiving module 31 is also used for receiving the encryption result sent by the second sending module 26;
第二存储模块33还用存储第三随机数;The second storage module 33 is also used to store the third random number;
解密模块37用于使用第二存储模块33中的加密公钥对接收到的加密结果进行解密;The decryption module 37 is used to decrypt the received encryption result using the encryption public key in the second storage module 33;
替换模块38用于在解密模块37解密成功时将第二存储模块33中的外部认证密钥替换为第三随机数;The replacement module 38 is used to replace the external authentication key in the second storage module 33 with a third random number when the decryption module 37 successfully decrypts;
第三发送模块35还用于在解密模块37解密成功时向第二接收模块21发送验证成功信息。The third sending module 35 is also configured to send verification success information to the second receiving module 21 when the decryption module 37 succeeds in decrypting.
本实施例提供的授权认证系统,可在授权Key对签名Key授权验证通过后,同时对授权Key和签名Key存储的外部认证密钥进行更新,使每次进行交易签名使用的外部认证密钥都不同,进一步地提高了签名操作的安全性。The authorization authentication system provided in this embodiment can simultaneously update the external authentication key stored in the authorization Key and the signature Key after the authorization Key has passed the authorization verification of the signature Key, so that the external authentication key used for each transaction signature is Different, further improving the security of the signature operation.
以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明公开的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto, any changes or variations that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.
Claims (37)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110301864.3A CN102510333B (en) | 2011-09-30 | 2011-09-30 | Authorization method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110301864.3A CN102510333B (en) | 2011-09-30 | 2011-09-30 | Authorization method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102510333A CN102510333A (en) | 2012-06-20 |
| CN102510333B true CN102510333B (en) | 2014-07-30 |
Family
ID=46222387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110301864.3A Active CN102510333B (en) | 2011-09-30 | 2011-09-30 | Authorization method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102510333B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102790678B (en) * | 2012-07-11 | 2015-01-14 | 飞天诚信科技股份有限公司 | Authentication method and system |
| CN103166754B (en) * | 2013-03-12 | 2017-05-10 | 飞天诚信科技股份有限公司 | Method and device processing commands |
| CN103425786A (en) * | 2013-08-22 | 2013-12-04 | 曙光云计算技术有限公司 | Method and device for storing data and device and method for accessing encrypted data |
| CN104639516B (en) * | 2013-11-13 | 2018-02-06 | 华为技术有限公司 | Identity identifying method, equipment and system |
| CN106529221B (en) * | 2016-11-22 | 2019-03-19 | 北京中金国信科技有限公司 | A kind of FPGA program anti-copy method and PCI-E cipher card |
| CN106657152B (en) * | 2017-02-07 | 2021-05-28 | 腾讯科技(深圳)有限公司 | Authentication method, server and access control device |
| SG10201704077UA (en) * | 2017-05-18 | 2018-12-28 | Huawei Int Pte Ltd | Electronic key system for vehicles access based on portable devices |
| CN110401613B (en) * | 2018-04-24 | 2023-01-17 | 北京握奇智能科技有限公司 | Authentication management method and related equipment |
| CN109245882A (en) * | 2018-09-08 | 2019-01-18 | 华东交通大学 | A kind of SM2 endorsement method suitable for electric power wireless sensor network |
| CN109636381A (en) * | 2018-12-12 | 2019-04-16 | 福建新大陆支付技术有限公司 | A kind of payment terminal off line authorization method and system based on IC card |
| CN110034924B (en) * | 2018-12-12 | 2022-05-13 | 创新先进技术有限公司 | Data processing method and device |
| CN109672526B (en) * | 2018-12-17 | 2021-11-09 | 福建联迪商用设备有限公司 | Method and system for managing executable program |
| CN109815745B (en) * | 2019-01-11 | 2023-02-17 | 珠海金山数字网络科技有限公司 | Application program authorization method based on image signature |
| CN109902481B (en) * | 2019-03-07 | 2021-10-26 | 北京深思数盾科技股份有限公司 | Encryption lock authentication method for encryption equipment and encryption equipment |
| JP7008661B2 (en) * | 2019-05-31 | 2022-01-25 | 本田技研工業株式会社 | Authentication system |
| CN110191438B (en) * | 2019-06-05 | 2022-09-23 | 深圳成谷科技有限公司 | Authentication method for vehicle-to-vehicle communication and related product |
| CN111563247A (en) * | 2020-07-14 | 2020-08-21 | 飞天诚信科技股份有限公司 | Method and device for logging in system by intelligent key equipment |
| CN113392418B (en) * | 2021-06-30 | 2022-10-11 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001055979A1 (en) * | 2000-01-24 | 2001-08-02 | Smarttrust Systems Oy | Payment device and method for secure payment |
| CN1921395A (en) * | 2006-09-19 | 2007-02-28 | 北京飞天诚信科技有限公司 | Method and system for improving security of network software |
| CN101094383A (en) * | 2007-07-09 | 2007-12-26 | 中国网络通信集团公司 | IPTV authentication and authorization method, server and system |
| CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7699233B2 (en) * | 2005-11-02 | 2010-04-20 | Nokia Corporation | Method for issuer and chip specific diversification |
-
2011
- 2011-09-30 CN CN201110301864.3A patent/CN102510333B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001055979A1 (en) * | 2000-01-24 | 2001-08-02 | Smarttrust Systems Oy | Payment device and method for secure payment |
| CN1921395A (en) * | 2006-09-19 | 2007-02-28 | 北京飞天诚信科技有限公司 | Method and system for improving security of network software |
| CN101094383A (en) * | 2007-07-09 | 2007-12-26 | 中国网络通信集团公司 | IPTV authentication and authorization method, server and system |
| CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102510333A (en) | 2012-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102510333B (en) | Authorization method and system | |
| CN110519260B (en) | Information processing method and information processing device | |
| CN113545006B (en) | Remote authorized access locked data storage device | |
| US9467430B2 (en) | Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware | |
| CN103684766B (en) | A kind of private key protection method of terminal use and system | |
| CN107358441B (en) | Payment verification method, system, mobile device and security authentication device | |
| CN101212293B (en) | A method and system for identity authentication | |
| US20180276664A1 (en) | Key download method and apparatus for pos terminal | |
| US11831752B2 (en) | Initializing a data storage device with a manager device | |
| CN106227503A (en) | Safety chip COS firmware update, service end, terminal and system | |
| JP2016096547A (en) | Method for non-repudiation, and payment managing server and user terminal therefor | |
| CN105915338B (en) | Generate the method and system of key | |
| TR201902104T4 (en) | Systems and methods for secure communication. | |
| CN102790678B (en) | Authentication method and system | |
| KR101702748B1 (en) | Method, system and recording medium for user authentication using double encryption | |
| KR20120108599A (en) | Credit card payment service using online credit card payment device | |
| US20120124378A1 (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
| CN104851206A (en) | USBKEY (universal serial bus key)-based online electric charge payment system | |
| WO2015054086A1 (en) | Proof of device genuineness | |
| KR100939725B1 (en) | Mobile terminal authentication method | |
| CN105184557A (en) | Payment authentication method and system | |
| KR20120080283A (en) | Otp certification device | |
| CN101944216A (en) | Double-factor online transaction security authentication method and system | |
| CN115801232A (en) | Private key protection method, device, equipment and storage medium | |
| CN103455914A (en) | Safety authentication method and remote controller and television payment system using same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 17th floor, building B, Huizhi building, No.9, Xueqing Road, Haidian District, Beijing 100085 Patentee after: Feitian Technologies Co.,Ltd. Country or region after: China Address before: 100085 17th floor, block B, Huizhi building, No.9 Xueqing Road, Haidian District, Beijing Patentee before: Feitian Technologies Co.,Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address | ||
| OL01 | Intention to license declared | ||
| OL01 | Intention to license declared |